Tag Archives: Ransomware

Atlanta Was Not Prepared To Respond To A Ransomware Attack

Standard
Atlanta Ransomware

Image: Dan X. O’Neil

“STATESCOOP”

“A month after the SamSam ransomware virus infected its computer systems, Atlanta’s city government still struggles to provide several services to its residents.

The city is scrambling to dig out from arguably the highest-profile ransomware incident on U.S. soil yet, shelling out nearly $2.7 million in emergency contracts to IT consultants and crisis managers.”

________________________________________________________________________________________

“Water and sewer bills can’t be paid online or over the phone, and business licenses can only be obtained in person. Public Wi-Fi at Hartsfield-Jackson International Airport, the country’s busiest airport, was down for two weeks. City council members reported losingdecades’ worth of correspondence. The municipal courthouse only regained the ability to schedule traffic-ticket hearings on April 16.

Atlanta officials may eventually give full accounting of how the March 22 ransomware attack was allowed to happen, and why the recovery process has been so slow and out of the public view. (The city last issued an official update on March 30.) But the hack hit just the right conditions to sow mayhem: In the weeks since officials were locked out of their systems for a $51,000 ransom demand, it’s been revealed that Atlanta’s municipal IT was woefully disorganized and outdated. Couple that with the recent swearing-in of Mayor Keisha Lance Bottoms, who by her own admission had not devoted much attention toward cybersecurity, and Atlanta became a ripe target for digital bedlam.

As recently as January, the city auditor was excoriating officials for a lax approach toward cybersecurity that left the government with obvious vulnerabilities, obsolete software and an IT culture driven by “ad hoc or undocumented” processes, according to a report published that month by the auditor’s office.

Not everyone is looking for someone to blame, though. Amid all the frustration that the cyberattack has caused, there’s one push for Atlanta to conduct a “blameless” review of the episode. But that seems like something that’s still a long way off from happening. Whatever the case, the attack was not surprising to cybersecurity experts.

“Atlanta is a fairly typical path,” said Max Kilger, a business professor who specializes in cybersecurity at the University of Texas at San Antonio. “These guys seem to be targeting organizations that work for the public good. There’s an urgency when a city gets taken down. The ransomware people are basically counting on that to leverage a payment out of these targets.”

Better to spend now than pay later

By all known accounts, Atlanta hasn’t paid up, though the mayor’s public remarks about it have been inconclusive. “Everything is up for discussion,” Bottoms said six days into the hack. The involvement of the FBI, which recommends ransomware victims refuse their attackers’ demands, suggests Atlanta hasn’t given in.

Kilger said a city as large as Atlanta, with a $2.1 billion budget, is a tempting target for ransomware operators because the ransom demand is so paltry compared the city’s pocketbook. Even if Atlanta won’t pay, the hackers behind the SamSam ransomware are still running a tidy operation — collecting nearly $850,000 since their first attack in late 2015, according to analyses of the SamSam group’s bitcoin wallet. That includes payments from ransomware victims that did pay the bounties to recover their data, including Hancock Regional Hospital in Indiana and Yarrow Point, Washington, an affluent town of 1,000 residents just east of Seattle.

But in those cases, the targets went against the FBI’s advice. The bureau recommends against acceding to ransom demands for the simple reason that a ransomware victim has no guarantee that its attacker won’t “shoot the hostage” anyway. “Paying a ransom doesn’t guarantee an organization that it will get its data back — we’ve seen cases where organizations never got a decryption key after having paid the ransom,” the FBI advises.

If there’s money going anywhere, it’s to consultants. In the month since the hack, Atlanta has doled out more than half a dozen emergency contracts to cybersecurity firms like Secureworks, Fyrsoft, and CDW, and consulting services from Ernst & Young and Edelman to manage the public response. In Colorado, where a SamSam attack in February took out internal systems at the state’s transportation department, officials have spent between $1 million and $1.5 million on recovery so far.

Government IT officials might find it’s better to spend more money up front hardening their cybersecurity, rather than shelling out after a hack.

“If I were an executive, I would look at the risk equation,” said Walter Tong, a security architect at the Georgia Technology Authority, which manages the state’s IT infrastructure. ”Is it worth spending the money or paying the ransom? I would not like to be in that kind of position.”

IT complacency

Tong’s office is not working on Atlanta’s recovery; he said it doesn’t offer the kinds of recovery services the city needs right now. But he said he knows the job of rebuilding the city’s computer systems will be a long one.

“It takes a while to rebuild and reconstruct applications and network devices,” Tong said. “Hackers choose targets and they find ways of getting there, whether it’s to cause a disruption of service or destruction of data, or both.”

Unlike other ransomware programs that take over networks when a user opens a phishing email or inadvertently runs a malignant program, SamSam infiltrates systems with brute-force attacks like guessing weak or default passwords until one breaks through. SamSam often targets Java-based application servers or Microsoft’s Remote Desktop Protocol.

Tong said his office often looks for those kinds vulnerabilities in network settings and older devices. Had Tong’s team examined Atlanta’s systems, they would’ve found those conditions in abundance. The city auditor’s January report found nearly 100 government servers running on Windows Server 2003, which Microsoft stopped supporting in 2015.

“You can spend a lot of time on educating, making sure your network devices are patched and secure,” Tong said. “But once it happens, you have to have an instant response plan.”

The January audit report suggests Atlanta was nowhere near ready to deal with a cyberattack. Monthly scans conducted over the course of the audit, found between 1,500 and 2,000 security vulnerabilities in Atlanta’s systems. In fact, the number of IT security flaws grew so large, that city agencies slid into a habit of inaction, the audit stated.

“The large number of severe and critical vulnerabilities identified by the monthly vulnerability scan results metric has existed for so long the organizations responsible for this area have essentially become complacent and no longer take action other than to update the monthly report,” the document reads. “The significance of such a backlog of severe and critical vulnerabilities without corrective actions is evidence of procedural, technical or administrative failures in the risk management and security management processes.”

Don’t play the blame game

Whether the hackers who hit Atlanta knew it at the time, the ransomware arrived less than three months into the term of a new mayor who admitted after the hack that cybersecurity had not been one of her administration’s priorities. That was a shift from her predecessor, Kasim Reed, who often played up Atlanta’s emergence as a hub for the cybersecurity industry: The city is home to companies like SecureWorks and Bastille, and Reed went on trade missions to Israel to get that country’s cybersecurity firms to investin Atlanta. Internally, Reed’s chief information officer, Samir Saini oversaw some IT upgrades, like moving city employees from Microsoft Exchange servers to Microsoft’s cloud services.

Saini was snatched away by New York Mayor Bill de Blasio in January, leaving Saini’s former deputy, Daphne Rackley, as the interim CIO. Then on April 9, Bottoms shook up the city’s leadership by asking everyone in her 35-member cabinet, which is still comprised mostly of holdovers from Reed’s administration, to submit letters of resignation. Bottoms hasn’t announced who she’ll be keeping and who she’ll be replacing, but the ransomware attack has made the CIO job a crucial one to watch.

“Just as much as we focus on our physical infrastructure, we need to focus on the security of our digital infrastructure,” Bottoms said a few days after the hack.

But blame for the ransomware attack and responsibility for making sure it doesn’t happen again aren’t necessarily synonymous. Code for Atlanta, a Code for America brigade that advocates for better technology in municipal government, wants Bottoms to eventually order a report that avoids assigning blame.

The idea of a “blameless post-mortem” is widely attributed to developers at the craft site Etsy. In a 2012 post on Etsy’s developer blog, John Allspaw, then a senior vice president at the company, wrote that software engineers respond better to errors and accidents when they know there’s not an overt threat of punishment.

“[A]n engineer who thinks they’re going to be reprimanded are disincentivized to give the details necessary to get an understanding of the mechanism, pathology, and operation of the failure,” Allspaw wrote. “This lack of understanding of how the accident occurred all but guarantees that it will repeat. If not with the original engineer, another one in the future.”

Other companies, including Google, have since adopted that model of review after things go wrong. Code for Atlanta believes that model could work in the public sector, too.

“We want folks in city government to be accountable, but for us it’s more about a culture change,” the group’s leader, Luigi Ray-Montanez, told StateScoop. “When I was at city hall I saw this poster warning people to be wary of cyberattacks. It seems like they were aware of internet culture, but obviously mistakes were made.”

Atlanta City Auditor Amanda Noble told reporters when the audit was first publicized that city officials had started to upgrade their IT security when the ransomware attack hit. But the majority of recommendations the audit made are unlikely to be completed until the third and fourth quarters of 2018.

Despite a recent push to make her government more transparent — including plans to create websites on which the public can track city contracts and municipal data — Bottoms hasn’t given an official statement on the ransomware recovery in weeks. Her office has not responded to requests for an update. Rackley, the acting CIO, has not responded to requests for an interview.

Tong, the security architect for the Georgia Technology Authority, said the city’s current silence might be at the behest of the investigators.

“It’s an active investigation and they likely can’t disclose what’s going on,” he said.

The recovery time for a ransomware victim that doesn’t pay off its attacker can be long. The Colorado Department of Transportation was only 80 percent back online six weeks after it was hit by the SamSam virus. Atlanta’s systems have been flickering back on in spurts, with many public services still rolled back to the pen-and-paper era.

Atlanta’s IT professionals and the contractors it’s hired in the wake of attack are scrambling to patch the holes and upgrade to more secure systems. But lingering out there now, for Atlanta and everywhere else, is the threat of more ransomware attempts to come.

“This is one of many ransomware attacks, and there will be many more,” Kilger, the Texas professor, said. “It’s going to get worse.”

https://statescoop.com/atlanta-was-not-prepared-to-respond-to-a-ransomware-attack

Advertisements

WannaCry: Top 5 lessons learned

Standard

 

Young Asian male confused and headache by WannaCry ransomware attack

Image:  “Fifth Damain Cyber”

“FIFTH DOMAIN CYBER”

“Ransomware infections are growing. There is an estimated 36 percent increase in ransomware strains per year.

Perhaps the lesson we should all learn is that global collaboration, communication and coordination is necessary to get ahead of malware infestations.

The WannaCry ransomware brought with it some unexpected consequences. It spread to an estimated 150-plus countries and impacted more than 300,000 computers. It had a substantial impact.

Recent estimates place the overall range of financial implications from $4 billion to $8 billion. Most of the impact is due to loss of productivity as well as costs associated with recovery, malware removal and re-imaging hard drives.

There were a number of lessons learned from this particular ransomware event. Here are the top five:

1. This event has many national cyber defense leaders calling for closer collaboration among countries.

2.
Rogue nation-states may resort to malware attacks to create disruption of computing capabilities that is nothing more than an annoyance.

3. 
Reuse of previously used malicious code is common, and that alone does not provide insight into who is behind the attack.

4. 
The continued use of unsupported software poses substantial risks and must be addressed in all essential/critical systems.

5. The Un factor (unknown devices and unknown patches) are sitting there waiting to be compromised and used by attackers.

Some might say we learned that paying ransom demands does not mean a system will get unlocked. That is certainly true, but has been known for several years. Maintaining an accurate technology/devices/computer asset inventory is essential to maintaining timely backups and systems’ security.

In looking at all of this, one must realize that we have known all of this for years and yet we still suffer from these attacks! One has to wonder what it will take to correct these well-known shortcomings!”

http://fifthdomain.com/2017/06/06/wannacry-top-5-lessons-learned-commentary/

4 Ways to Protect Against the Very Real Threat of Ransomware

Standard
ransomware-495934588-s

“Getty Images”

“WIRED”

“You’re still largely on your own when it comes to fighting ransomware attacks, which hackers use to encrypt your computer or critical files until you pay a ransom to unlock them.

Ransomware is a multi-million-dollar crime operation that strikes everyone from hospitals to police departments to online casinos.

It’s such a profitable scheme that experts say traditional cyberthieves are abandoning their old ways of making money—stealing credit card numbers and bank account credentials—in favor of ransomware.

You could choose to cave and pay, as many victims do. Last year, for example, the FBI says victims who reported attacks to the Bureau enriched cyber extortionists’ coffers by $24 million. But even if you’ve backed up your data in a safe place and choose not to pay the ransom, this doesn’t mean an attack won’t cost you. Victims of the CryptoWall ransomware, for example, have suffered an estimated $325 million in damages since that strain of ransomware was discovered in January 2015, according to the Cyber Threat Alliance (.pdf). The damages include the cost of disinfecting machines and restoring backup data—which can take days or weeks depending on the organization.

But don’t fear—you aren’t totally at the mercy of hackers. If you’re at risk for a ransomware attack, there are simple steps you can take to protect yourself and your business. Here’s what you should do.

First of All, Who Are Ransomware’s Prime Targets?

Any company or organization that depends on daily access to critical data—and can’t afford to lose access to it during the time it would take to respond to an attack—should be most worried about ransomware. That means banks, hospitals, Congress, police departments, and airlines and airports should all be on guard. But any large corporation or government agency is also at risk, including critical infrastructure, to a degree. Ransomware, for example, could affect the Windows systems that power and water plants use to monitor and configure operations, says Robert M. Lee, CEO at critical infrastructure security firm Dragos Security. The slightly relieving news is that ransomware, or at least the variants we know about to date, wouldn’t be able to infect the industrial control systems that actually run critical operations.

“Just because the Windows systems are gone, doesn’t mean the power just goes down,” he told WIRED. “[But] it could lock out operators from viewing or controlling the process.” In some industries that are heavily regulated, such as the nuclear power industry, this is enough to send a plant into automated shutdown, as regulations require when workers lose sight of operations.

Individual users are also at risk of ransomware attacks against home computers, and some of the suggestions below will apply to you as well, if you’re in that category.

1. Back Up, as Big Sean Says

The best defense against ransomware is to outwit attackers by not being vulnerable to their threats in the first place. This means backing up important data daily, so that even if your computers and servers get locked, you won’t be forced to pay to see your data again.

“More than 5,000 customers have called us for help with ransomware attacks in the last 12 months,” says Chris Doggett, senior vice president at Carbonite, which provides cloud backup services for individuals and small businesses. One health care customer lost access to 14 years of files, he says, and a community organization lost access to 170,000 files in an attack, but both had backed up their data to the cloud so they didn’t have to pay a ransom.

Some ransomware attackers search out backup systems to encrypt and lock, too, by first gaining entry to desktop systems and then manually working their way through a network to get to servers. So if you don’t back up to the cloud and instead backup to a local storage device or server, these should be offline and not directly connected to desktop systems where the ransomware or attacker can reach them.

“A lot of people store their documents in network shares,” says Anup Ghosh, CEO of security firm Invincea. “But network shares are as at risk as your desktop system in a ransomware infection. If the backups are done offline, and the backup is not reachable from the machine that is infected, then you’re fine.”

The same is true if you do your own machine backups with an external hard drive. Those drives should only be connected to a machine when doing backups, then disconnected. “If your backup drive is connected to the device at the time the ransomware runs, then it would also get encrypted,” he notes.

Backups won’t necessarily make a ransomware attack painless, however, since it can take a week or more to restore data, during which business operations may be impaired or halted.

“We’ve seen hospitals elect to pay the ransom because lives are on the line and presumably the downtime that was associated, even if they had the ability to recover, was not considered acceptable,” says Doggett.

2. Just Say No—To Suspicious Emails and Links

The primary method of infecting victims with ransomware involves every hacker’s favorite bait—the “spray-‘n’-pray” phishing attack, which involves spamming you with emails that carry a malicious attachment or instruct you to click on a URL where malware surreptitiously crawls into your machine. The recent ransomware attacks targeting Congressional members prompted the House IT staff to temporarily block access to Yahoo email accounts, which apparently were the accounts the attackers were phishing.

But ransomware hackers have also adopted another highly successful method—malvertising—which involves compromising an advertiser’s network by embedding malware in ads that get delivered through web sites you know and trust, such as the malvertising attacks that recently struck the New York Times and BBC. Ad blockers are one way to block malicious ads, patching known browser security holes will also thwart some malvertising.

When it comes to phishing attacks, experts are divided about the effectiveness of user training to educate workers on how to spot such attacks and right-click on email attachments to scan them for malware before opening. But with good training, “you can actually truly get a dramatic decrease in click-happy employees,” says Stu Sjouwerman, CEO of KnowBe4, which does security awareness training for companies. “You send them frequent simulated phishing attacks, and it starts to become a game. You make it part of your culture and if you, once a month, send a simulated attack, that will get people on their toes.” He says with awareness training he’s seen the number of workers clicking on phishing attacks drop from 15.9 percent to just 1.2 percent in some companies.

Doggett agrees that user training has a role to play in stopping ransomware.

“I see far too many people who don’t know the security 101 basics or simply don’t choose to follow them,” says Doggett. “So the IT department or security folks have a very significant role to play [to educate users].”

3. Patch and Block

But users should never be considered the stop-gap for infections, Ghosh says. “Users will open attachments, they will visit sites that are infected, and when that happens, you just need to make sure that your security technology protects you,” he says.

His stance isn’t surprising, since his company sells an end-point security product designed to protect desktop systems from infection. The product, called X, uses deep learning to detect ransomware and other malware, and Ghosh says a recent test of his product blocked 100 percent of attacks from 64 malicious web sites.

But no security product is infallible—otherwise individuals and businesses wouldn’t be getting hit with so much ransomware and other malware these days. That’s why companies should take other standard security measures to protect themselves, such as patching software security holes to prevent malicious software from exploiting them to infect systems.

“In web attacks, they’re exploiting vulnerabilities in your third-party plug-ins—Java and Flash—so obviously keeping those up to date is helpful,” Ghosh says.

Whitelisting software applications running on machines is another way Sjouwerman says you can resist attacks, since the lists won’t let your computer install anything that’s not already approved. Administrators first scan a machine to note the legitimate applications running on it, then configure it to prevent any other executable files from running or installing.

Other methods network administrators can use include limiting systems’ permissions to prevent malware from installing on systems without an administrator’s password. Administrators can also segment access to critical data using redundant servers. Rather than letting thousands of employees access files on a single server, they can break employees into smaller groups, so that if one server gets locked by ransomware, it won’t affect everyone. This tactic also forces attackers to locate and lock down more servers to make their assault effective.

4. Got an Infection? Disconnect

When MedStar Health got hit with ransomware earlier this year, administrators immediately shut down most of the organization’s network operations to prevent the infection from spreading. Sjouwerman, whose firm distributes a 20-page “hostage manual” (.pdf) on how to prevent and respond to ransomware, says that not only should administrators disconnect infected systems from the corporate network, they should also disable Wi-Fi and Bluetooth on machines to prevent the malware from spreading to other machines via those methods.

After that, victims should determine what strain of ransomware infected them. If it’s a known variant, anti-virus companies like Kaspersky Lab may have decryptors/a> to help unlock files or bypass the lock without paying a ransom, depending on the quality of encryption method the attackers used.

But if you haven’t backed up your data and can’t find a method to get around the encryption, your only option to get access to your data is to pay the ransom. Although the FBI recommends not paying, Ghosh says he understands the impulse.

“In traditional hacks, there is no pain for the user, and people move on,” he says. But ransomware can immediately bring business operations to a halt. And in the case of individual victims who can’t access family photos and other personal files when home systems get hit, “the pain involved with that is so off the charts…. As security people, it’s easy to say no [to paying]. Why would you feed the engine that’s going to drive more ransomware attacks? But … it’s kind of hard to tell someone don’t pay the money, because you’re not in their shoes.”

https://www.wired.com/2017/05/ransomware-meltdown-experts-warned/

 

Healthcare and the Cyber Threat

Standard
reliabills.com.jpeg.jpg

Image: Reliabills.com

“THE CIPHERBRIEF”

“The healthcare industry has become a prime target for hackers.

But why are healthcare organizations such attractive targets for hackers? In short, healthcare providers hold a lot of valuable information about patients, and they tend to be less secure than other organizations.

In February, Hollywood Presbyterian Hospital very publicly paid $17,000 to regain access to its files after being infected with a type of malware called ransomware. As the name suggests, ransomware encrypts all files on a computer until the victim pays a ransom to the attacker. This hack, though limited in scope, is just one example of a much larger problem with the healthcare industry’s cybersecurity posture.

In 2015 alone, hackers stole the records of 11 million people from Premera Blue Cross, 10 million people from Excellus BlueCross BlueShield, and 80 million people from Anthem. In contrast, only 22 million people were directly affected by the hackers who stole information from the Office of Personnel Management.

The trend of healthcare providers and insurance companies being targeted by cyber-criminals shows no sign of stopping.

Greg Porter of Allegheny Digital told the Cipher Brief “the bar to make it more difficult to get credit card data has ramped up for many attackers, so they are looking for another easy target. And in many ways, healthcare, unfortunately, falls into that demographic.” Additionally, healthcare information is very rich – meaning that it can be used for a wide variety of illicit activities.

Since healthcare providers are relatively low-hanging fruit for cyber-criminals, they are facing an increasing number of cyber attacks. The ransomware attack on Hollywood Presbyterian clearly demonstrates this.  The hackers made $17,000 dollars with relatively little effort or risk on their part. There are regulations to help ensure that patient records are kept secure, such as the Health Insurance Portability and Accountability Act (HIPAA), but complying with regulations is not synonymous with having strong cybersecurity.

Cybersecurity concerns are relatively new for the healthcare industry. Denise Anderson, President of the National Health Information Sharing and Analysis Center (NH-ISAC), told The Cipher Brief that “The 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act essentially was the driver for the threat environment we see today by requiring providers to use electronic medical records (EMR) by 2015.” Healthcare providers started getting hacked shortly thereafter. The shift towards electronic record keeping occurred faster than the corresponding acquisition of network-protection systems, and this created exploitable vulnerabilities for hackers.

However, there has been greater movement towards improving cybersecurity in healthcare. The NH-ISAC was created to help coordinate the sharing of threat information across the healthcare industry. More healthcare providers and insurers are becoming aware of the threat and risk they face.  Just as with many other critical industries, healthcare is rapidly learning how to better protect itself from the growing number of bad actors using cyber-capabilities to steal money and information.

The cyber-threat environment will continue to adapt, and it is unclear to what extent large, public incidents like the one at Hollywood Presbyterian will change attack patterns. Anderson says that “Hollywood Presbyterian could have painted a big bull’s-eye on the healthcare sector by paying the ransom. That remains to be seen.”

In contrast, Porter felt that “this one incident got sensationalized because of the ransomware involved.”  If the theft of more than 80 million records in 2015 didn’t change things then a $17,000 ransom probably wouldn’t either. However, both agree that healthcare providers and insurers need to look beyond HIPAA and improve both cybersecurity and resilience.  Whether through better training for improved cyber-hygiene, increased information-sharing, or stronger public-private partnerships, there are many ways for the healthcare industry to fix its cybersecurity problem. Otherwise, the massive theft of patient information that was seen throughout 2015 could continue, unabated.”

https://www.thecipherbrief.com/article/techcyber/healthcare-and-cyber-threat